[PATCH] PreferAskpass in ssh_config
Ben Lindstrom
mouring at etoh.eviladmin.org
Tue Oct 5 09:35:03 EST 2004
On Mon, 4 Oct 2004 yath at yath.eu.org wrote:
[..]
> export SSH_ASKPASS=/usr/bin/ssh-askpass
> export SSH_USE_ASKPASS=prefer
>
> This provides a more secure way to enter passwords read by
^^^^^^^^^^^^^^^^^^^^^
Actually I could argue differently. Ssh-askpass should be looked at as
more of a UI nicety and not as a "secure feature". Shell variables are
easily redefined and anytime you call out to an external command you
always run a higher risk of "misplaced" senstive information occurring
If the whole reason is to "gain security". Then I have to say this patch
is worthless, since ssh-askpass is no more secure than native read stuff
out of the keyboard buffer by the orignal code.
In fact, I'd rather see SSH_ASKPASS && DISPLAY be honored without having
some additional variable. That way there is no need to add in parsing of
ssh_config/config into commands that should be by default standalone.
> read_passphrase(). And no need for redirecting stdin (and I don't really
> want this on an interactive ssh session)
>
> Sebastian
> --
> signature intentionally left blank.
>
- Ben
More information about the openssh-unix-dev
mailing list